user

Description

Manage users. This type is mostly built to manage system
users, so it is lacking some features useful for managing normal
users.

This resource type uses the prescribed native tools for creating
groups and generally uses POSIX APIs for retrieving information
about them. It does not directly modify /etc/passwd or anything.

Autorequires: If Puppet is managing the user’s primary group (as
provided in the gid attribute), the user resource will autorequire
that group. If Puppet is managing any role accounts corresponding to the
user’s roles, the user resource will autorequire those role accounts.

Attributes

user { 'resource title':
name => # (namevar) The user name. While naming limitations vary by...ensure => # The basic state that the object should be in....allowdupe => # Whether to allow duplicate UIDs. Defaults to...attribute_membership => # Whether specified attribute value pairs should...attributes => # Specify AIX attributes for the user in an array...auth_membership => # Whether specified auths should be considered the auths => # The auths the user has. Multiple auths should...comment => # A description of the user. Generally the user's expiry => # The expiry date for this user. Must be provided...forcelocal => # Forces the management of local accounts when...gid => # The user's primary group. Can be specified...groups => # The groups to which the user belongs. The...home => # The home directory of the user. The directory...ia_load_module => # The name of the I&A module to use to manage this iterations => # This is the number of iterations of a chained...key_membership => # Whether specified key/value pairs should be...keys => # Specify user attributes in an array of key ...loginclass => # The name of login class to which the user...managehome => # Whether to manage the home directory when...membership => # Whether specified groups should be considered...password => # The user's password, in whatever encrypted...password_max_age => # The maximum number of days a password may be...password_min_age => # The minimum number of days a password must be...profile_membership => # Whether specified roles should be treated as the profiles => # The profiles the user has. Multiple profiles...project => # The name of the project associated with a user. provider => # The specific backend to use for this `user...purge_ssh_keys => # Whether to purge authorized SSH keys for this...role_membership => # Whether specified roles should be considered the roles => # The roles the user has. Multiple roles should...salt => # This is the 32-byte salt used to generate the...shell => # The user's login shell. The shell must exist...system => # Whether the user is a system user, according to...uid => # The user ID; must be specified numerically. If...
# ...plus any applicable metaparameters.
}

name

(Namevar: If omitted, this attribute’s value defaults to the resource’s title.)

The user name. While naming limitations vary by operating system,
it is advisable to restrict names to the lowest common denominator,
which is a maximum of 8 characters beginning with a letter.

Note that Puppet considers user names to be case-sensitive, regardless
of the platform’s own rules; be sure to always use the same case when
referring to a given user.

forcelocal

gid

(Property: This attribute represents concrete state on the target system.)

The user’s primary group. Can be specified numerically or by name.

This attribute is not supported on Windows systems; use the groups
attribute instead. (On Windows, designating a primary group is only
meaningful for domain accounts, which Puppet does not currently manage.)

purge_ssh_keys

Whether to purge authorized SSH keys for this user if they are not managed
with the ssh_authorized_key resource type. Allowed values are:

false (default) — don’t purge SSH keys for this user.

true — look for keys in the .ssh/authorized_keys file in the user’s
home directory. Purge any keys that aren’t managed as ssh_authorized_key
resources.

An array of file paths — look for keys in all of the files listed. Purge
any keys that aren’t managed as ssh_authorized_key resources. If any of
these paths starts with ~ or %h, that token will be replaced with
the user’s home directory.

system

Whether the user is a system user, according to the OS’s criteria;
on most platforms, a UID less than or equal to 500 indicates a system
user. This parameter is only used when the resource is created and will
not affect the UID when the user is present. Defaults to false.

uid

(Property: This attribute represents concrete state on the target system.)

The user ID; must be specified numerically. If no user ID is
specified when creating a new user, then one will be chosen
automatically. This will likely result in the same user having
different UIDs on different systems, which is not recommended. This is
especially noteworthy when managing the same user on both Darwin and
other platforms, since Puppet does UID generation on Darwin, but
the underlying tools do so on other platforms.

On Windows, this property is read-only and will return the user’s
security identifier (SID).

hpuxuseradd

User management for HP-UX. This provider uses the undocumented -F
switch to HP-UX’s special usermod binary to work around the fact that
its standard usermod cannot make changes while the user is logged in.
New functionality provides for changing trusted computing passwords and
resetting password expirations under trusted computing.

ldap

User management via LDAP.

This provider requires that you have valid values for all of the
LDAP-related settings in puppet.conf, including ldapbase. You will
almost definitely need settings for ldapuser and ldappassword in order
for your clients to write to LDAP.

Note that this provider will automatically generate a UID for you if
you do not specify one, but it is a potentially expensive operation,
as it iterates across all existing users to pick the appropriate next one.

Supported features: manages_passwords, manages_shell.

openbsd

User management via useradd and its ilk for OpenBSD. Note that you
will need to install Ruby’s shadow password library (package known as
ruby-shadow) if you wish to manage user passwords.